Re: [sqlmap-users] sqlmap-users Digest, Vol 26, Issue 1
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] sqlmap-users Digest, Vol 26, Issue 1
|
From: Andres F. <an...@an...> - 2012-09-15 00:15:09
|
-- Andres Ferraro On Friday, September 14, 2012 at 6:33 PM, sql...@li... wrote: > Send sqlmap-users mailing list submissions to > sql...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > or, via email, send a message with subject or body 'help' to > sql...@li... > > You can reach the person managing the list at > sql...@li... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of sqlmap-users digest..." > > > Today's Topics: > > 1. TypeError: argument of type 'NoneType' is not iterable (M Zverev) > 2. Re: TypeError: argument of type 'NoneType' is not iterable > (Miroslav Stampar) > 3. Help read file (Jorge Vespa) > 4. Re: Help read file (Dennis) > 5. Re: Help read file (Miroslav Stampar) > 6. Disable output coloring (M Zverev) > 7. Injecting into LIMIT ints (Chris Oakley) > 8. Re: Injecting into LIMIT ints (Miroslav Stampar) > 9. sqlmap error (D Atkin) > 10. Re: Injecting into LIMIT ints (Chris Oakley) > 11. MemoryError (Happy User) > 12. Re: sqlmap error (Miroslav Stampar) > 13. Re: MemoryError (Miroslav Stampar) > 14. Re: Disable output coloring (Peter Thomas) > 15. Re: Disable output coloring (Miroslav Stampar) > 16. Re: Disable output coloring (Peter Thomas) > 17. ask error in sqlmap (muhammad husaini harun) > 18. Re: ask error in sqlmap (Brandon Perry) > 19. tag FORM not supported (Marco Mirandola) > 20. Re: tag FORM not supported (Timon Wang) > 21. Re: tag FORM not supported (Miroslav Stampar) > 22. Re: tag FORM not supported (Marco Mirandola) > 23. Re: tag FORM not supported (Chris Oakley) > 24. Re: tag FORM not supported (Miroslav Stampar) > 25. Rieqy Erysya (root rieqy) > 26. Re: Rieqy Erysya (Miroslav Stampar) > 27. Anyone having trouble with --eval? (Sergio Molina) > 28. UnicodeEncodeError: 'ascii' codec can't encode characters in > position 32-47: ordinal not in range(128) (Happy User) > 29. Re: UnicodeEncodeError: 'ascii' codec can't encode characters > in position 32-47: ordinal not in range(128) (Miroslav Stampar) > 30. Re: Anyone having trouble with --eval? (Miroslav Stampar) > 31. Two problems with sqlmap (Duarte Silva) > 32. freebsd9.0/unhandled exception in sqlmap/0.9 (milong mao) > 33. Re: freebsd9.0/unhandled exception in sqlmap/0.9 > (Miroslav Stampar) > 34. Melhorar o scan (Roberto Neves) > 35. Re: Melhorar o scan (Andr? Silva) > 36. Re: Melhorar o scan (du...@al...) > 37. Re: Melhorar o scan (James) > 38. Re: Two problems with sqlmap (Miroslav Stampar) > 39. Re: Two problems with sqlmap (Duarte Silva) > 40. Re: Two problems with sqlmap (Miroslav Stampar) > 41. Re: Two problems with sqlmap (Duarte Silva) > 42. Bypassing IDS/IPS (Arturs Pavlovs) > 43. Re: Bypassing IDS/IPS (du...@al...) > 44. Re: Bypassing IDS/IPS (Chris Oakley) > 45. Problem with multiple target mode (David London) > 46. Re: Problem with multiple target mode (Miroslav Stampar) > 47. unhandled exception (el draco) > 48. Re: unhandled exception (Miroslav Stampar) > 49. Re: unhandled exception (Andr? Silva) > 50. Re: unhandled exception (Miroslav Stampar) > 51. wrong file size checking with os-shell (Robin Wood) > 52. Re: wrong file size checking with os-shell (Miroslav Stampar) > 53. Re: wrong file size checking with os-shell (Robin Wood) > 54. Simple failed injection (Stephen Shkardoon) > 55. Re: Simple failed injection (Miroslav Stampar) > 56. Re: Simple failed injection (Stephen Shkardoon) > 57. Re: Simple failed injection (Miroslav Stampar) > 58. Re: Simple failed injection (Stephen Shkardoon) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 28 Jul 2012 15:33:18 +0400 > From: M Zverev <rob...@gm...> > Subject: [sqlmap-users] TypeError: argument of type 'NoneType' is not > iterable > To: sql...@li... > Message-ID: <501...@gm...> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > [15:12:16] [CRITICAL] unhandled exception in sqlmap/1.0-dev-dba0a96, > retry your run with the latest development version from the G > itHub repository. If the exception persists, please send by e-mail to > 'sql...@li...' or open a new issue at > 'https://github.com/sqlmapproject/sqlmap/issues/new' with the following > text and any information required to reproduce the bug. Th > e developers will try to reproduce the bug, fix it accordingly and get > back to you. > sqlmap version: 1.0-dev-dba0a96 > Python version: 2.7.3 > Operating system: nt > Command line: d:\Soft\sqlmap-dev\sqlmap.py -c x --dbs -u > *************************************** -D ****** -T *********** --dump > Technique: UNION > Back-end DBMS: MySQL (fingerprinted) > Traceback (most recent call last): > File "d:\Soft\sqlmap-dev\_sqlmap.py", line 72, in main > start() > File "d:\Soft\sqlmap-dev\lib\controller\controller.py", line 571, in > start > action() > File "d:\Soft\sqlmap-dev\lib\controller\action.py", line 110, in action > conf.dbmsHandler.dumpTable() > File "d:\Soft\sqlmap-dev\plugins\generic\enumeration.py", line 1634, > in dumpTable > entries = inject.getValue(query, blind=False, dump=True) > File "d:\Soft\sqlmap-dev\lib\request\inject.py", line 400, in getValue > value = __goInband(forgeCaseExpression if expected == EXPECTED.BOOL > else query, unpack, dump) > File "d:\Soft\sqlmap-dev\lib\request\inject.py", line 354, in __goInband > output = unionUse(expression, unpack=unpack, dump=dump) > File "d:\Soft\sqlmap-dev\lib\techniques\union\use.py", line 345, in > unionUse > value = __oneShotUnionUse(expression, unpack) > File "d:\Soft\sqlmap-dev\lib\techniques\union\use.py", line 83, in > __oneShotUnionUse > if kb.chars.stop not in page and kb.chars.stop[:-1] in page: > TypeError: argument of type 'NoneType' is not iterable > > > > ------------------------------ > > Message: 2 > Date: Sun, 29 Jul 2012 17:34:42 +0200 > From: Miroslav Stampar <mir...@gm...> > Subject: Re: [sqlmap-users] TypeError: argument of type 'NoneType' is > not iterable > To: M Zverev <rob...@gm...> > Cc: sql...@li... > Message-ID: > <CA+9yoX16=+4P...@ma...> > Content-Type: text/plain; charset="iso-8859-1" > > Hi. > > Thank you for your report and find it fixed with the latest commit [1]. > > Kind regards, > Miroslav Stampar > > [1] https://github.com/sqlmapproject/sqlmap/issues/126 > > On Sat, Jul 28, 2012 at 1:33 PM, M Zverev <rob...@gm...> wrote: > > > [15:12:16] [CRITICAL] unhandled exception in sqlmap/1.0-dev-dba0a96, > > retry your run with the latest development version from the G > > itHub repository. If the exception persists, please send by e-mail to > > 'sql...@li...' or open a new issue at > > 'https://github.com/sqlmapproject/sqlmap/issues/new' with the following > > text and any information required to reproduce the bug. Th > > e developers will try to reproduce the bug, fix it accordingly and get > > back to you. > > sqlmap version: 1.0-dev-dba0a96 > > Python version: 2.7.3 > > Operating system: nt > > Command line: d:\Soft\sqlmap-dev\sqlmap.py -c x --dbs -u > > *************************************** -D ****** -T *********** --dump > > Technique: UNION > > Back-end DBMS: MySQL (fingerprinted) > > Traceback (most recent call last): > > File "d:\Soft\sqlmap-dev\_sqlmap.py", line 72, in main > > start() > > File "d:\Soft\sqlmap-dev\lib\controller\controller.py", line 571, in > > start > > action() > > File "d:\Soft\sqlmap-dev\lib\controller\action.py", line 110, in action > > conf.dbmsHandler.dumpTable() > > File "d:\Soft\sqlmap-dev\plugins\generic\enumeration.py", line 1634, > > in dumpTable > > entries = inject.getValue(query, blind=False, dump=True) > > File "d:\Soft\sqlmap-dev\lib\request\inject.py", line 400, in getValue > > value = __goInband(forgeCaseExpression if expected == EXPECTED.BOOL > > else query, unpack, dump) > > File "d:\Soft\sqlmap-dev\lib\request\inject.py", line 354, in __goInband > > output = unionUse(expression, unpack=unpack, dump=dump) > > File "d:\Soft\sqlmap-dev\lib\techniques\union\use.py", line 345, in > > unionUse > > value = __oneShotUnionUse(expression, unpack) > > File "d:\Soft\sqlmap-dev\lib\techniques\union\use.py", line 83, in > > __oneShotUnionUse > > if kb.chars.stop not in page and kb.chars.stop[:-1] in page: > > TypeError: argument of type 'NoneType' is not iterable > > > > > > ------------------------------------------------------------------------------ > > Live Security Virtual Conference > > Exclusive live event will cover all the ways today's security and > > threat landscape has changed and how IT managers can respond. Discussions > > will include endpoint security, mobile security and the latest in malware > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > -- > Miroslav Stampar > http://about.me/stamparm > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 3 > Date: Sun, 29 Jul 2012 22:51:49 -0400 > From: "Jorge Vespa" <jv...@co...> > Subject: [sqlmap-users] Help read file > To: <sql...@li...> > Message-ID: <080501cd6dfe$43f6f030$cbe4d090$@com.bo> > Content-Type: text/plain; charset="us-ascii" > > Hi, great tool. > > > I could never read or write a file on the server, I don't know why. > > > For example this vulnerable web: > > > python sqlmap.py -u "http://www.redpat.tv/php/multimedia/p3.php?codigo=REEL" > --file-read "/www/redpat.tv/htdocs/php/multimedia/p3.php" -v 5 > > > It return the error: /www/redpat.tv/htdocs/php/multimedia/p3.php file saved > to: 'None' > > > If you go to: > > http://www.redpat.tv/php/multimedia/p3.php?codigo=REEL' > > you can see selecting to see the text, that the path on the server is right, > thanks to the error message. > > > Hope you can help me, thanks. > > > > Jorge Vespa > COTASnet > 3862818 > Santa Cruz - Bolivia > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 4 > Date: Mon, 30 Jul 2012 08:59:48 +0200 > From: Dennis <kor...@ya...> > Subject: Re: [sqlmap-users] Help read file > To: Jorge Vespa <jv...@co...> > Cc: sql...@li... > Message-ID: <501...@ya...> > Content-Type: text/plain; charset=ISO-8859-1 > > Hi Jorge, > > please do not post any vulnerabilities of real web pages to the mailing > list. Could get you or anyone replying into trouble. > > Cheers, > Dennis > > > > ------------------------------ > > Message: 5 > Date: Mon, 30 Jul 2012 13:14:32 +0200 > From: Miroslav Stampar <mir...@gm...> > Subject: Re: [sqlmap-users] Help read file > To: Dennis <kor...@ya...> > Cc: sql...@li... > Message-ID: > <CA+9yoX0+U7U2Bt8qNv9sNXmRGtgbXtYNifHsy-Z5=CeV...@ma...> > Content-Type: text/plain; charset="iso-8859-1" > > Hi Jorge. > > Dennis is right. Posting real targets on this ML is considered as an > inappropriate. > > In your case you are most probably having problems with backend DBMS > permissions as in majority of similar cases. > > In such cases switches -t and/or --parse-errors are great for debugging > purposes. > > Kind regards, > Miroslav Stampar > > On Mon, Jul 30, 2012 at 8:59 AM, Dennis <kor...@ya...> wrote: > > > Hi Jorge, > > > > please do not post any vulnerabilities of real web pages to the mailing > > list. Could get you or anyone replying into trouble. > > > > Cheers, > > Dennis > > > > > > ------------------------------------------------------------------------------ > > Live Security Virtual Conference > > Exclusive live event will cover all the ways today's security and > > threat landscape has changed and how IT managers can respond. Discussions > > will include endpoint security, mobile security and the latest in malware > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > -- > Miroslav Stampar > http://about.me/stamparm > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 6 > Date: Thu, 02 Aug 2012 15:17:44 +0400 > From: M Zverev <rob...@gm...> > Subject: [sqlmap-users] Disable output coloring > To: sql...@li... > Message-ID: <501...@gm...> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > I often redirect sqlmap output to a text file with the command >, and > that leave annoying marks like > [0m > [31m > at the beginning and the end of lines, and I have to clean that out. > Is there a way to disable output coloring? > > > > ------------------------------ > > Message: 7 > Date: Fri, 3 Aug 2012 15:08:32 +0100 > From: Chris Oakley <chr...@gm...> > Subject: [sqlmap-users] Injecting into LIMIT ints > To: sql...@li... > Message-ID: > <CAF6VE=pnf...@ma...> > Content-Type: text/plain; charset="iso-8859-1" > > Hi All > > I have found that an application has a rewritten URL element that ends up > in a SQL query. The error message tells me that I'm injecting into the > LIMIT number at the end of the query. This appears to be the only point of > injection for now. > > A simplified version of the query that's being injected into is: > > SELECT * FROM posts WHERE site_id = '1' ORDER BY post_date DESC, > created_date DESC LIMIT foo, 10 > > 'foo' is my injection and of course gives a syntax error. > > I know that apostrophes/ticks (as in the ' character) are blocked as a > minimum. > > Does anyone have any experience injecting this late in a query? Any ideas > would be greatly received. > > Regards > > Chris > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 8 > Date: Fri, 3 Aug 2012 17:15:05 +0200 > From: Miroslav Stampar <mir...@gm...> > Subject: Re: [sqlmap-users] Injecting into LIMIT ints > To: Chris Oakley <chr...@gm...> > Cc: sql...@li... > Message-ID: > <CA+...@ma...> > Content-Type: text/plain; charset="iso-8859-1" > > Hi Chris. > > In those kind of cases UNION injection should be a solution. > > As LIMIT doesn't accept subquery as an operand you have to append a UNION > ALL SELECT to the original value (foo in your case) and necessarily add a > comment to the end (e.g. --) to neutralize that second operand of affected > LIMIT part. > > To make it short, LIMIT doesn't accept subqueries and standard non-UNION > based injection techniques should fail (as they "seed" their payload into > the affected SQL form - in this case LIMIT). > > Kind regards, > Miroslav Stampar > > On Fri, Aug 3, 2012 at 4:08 PM, Chris Oakley > <chr...@gm...>wrote: > > > Hi All > > > > I have found that an application has a rewritten URL element that ends up > > in a SQL query. The error message tells me that I'm injecting into the > > LIMIT number at the end of the query. This appears to be the only point of > > injection for now. > > > > A simplified version of the query that's being injected into is: > > > > SELECT * FROM posts WHERE site_id = '1' ORDER BY post_date DESC, > > created_date DESC LIMIT foo, 10 > > > > 'foo' is my injection and of course gives a syntax error. > > > > I know that apostrophes/ticks (as in the ' character) are blocked as a > > minimum. > > > > Does anyone have any experience injecting this late in a query? Any ideas > > would be greatly received. > > > > Regards > > > > Chris > > > > > > ------------------------------------------------------------------------------ > > Live Security Virtual Conference > > Exclusive live event will cover all the ways today's security and > > threat landscape has changed and how IT managers can respond. Discussions > > will include endpoint security, mobile security and the latest in malware > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > -- > Miroslav Stampar > http://about.me/stamparm > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 9 > Date: Fri, 3 Aug 2012 16:37:19 +0000 > From: D Atkin <je...@ho...> > Subject: [sqlmap-users] sqlmap error > To: <sql...@li...> > Message-ID: <COL...@ph...l> > Content-Type: text/plain; charset="windows-1256" > > > hi > > im try to run sqlmap from msf but i keep getting this error > > the sqlmap script could not be found: > > iv already had sqlmap path to system Path envirounment put im still getting this error. > > can u tell me what i can do from here. > > Thank you! > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 10 > Date: Fri, 3 Aug 2012 17:37:22 +0100 > From: Chris Oakley <chr...@gm...> > Subject: Re: [sqlmap-users] Injecting into LIMIT ints > To: Miroslav Stampar <mir...@gm...> > Cc: sql...@li... > Message-ID: > <CAF6VE=pT7...@ma...> > Content-Type: text/plain; charset="iso-8859-1" > > Thanks Miroslav, I'll give it a go! > > On 3 August 2012 16:15, Miroslav Stampar <mir...@gm...> wrote: > > > Hi Chris. > > > > In those kind of cases UNION injection should be a solution. > > > > As LIMIT doesn't accept subquery as an operand you have to append a UNION > > ALL SELECT to the original value (foo in your case) and necessarily add a > > comment to the end (e.g. --) to neutralize that second operand of affected > > LIMIT part. > > > > To make it short, LIMIT doesn't accept subqueries and standard non-UNION > > based injection techniques should fail (as they "seed" their payload into > > the affected SQL form - in this case LIMIT). > > > > Kind regards, > > Miroslav Stampar > > > > On Fri, Aug 3, 2012 at 4:08 PM, Chris Oakley <chr...@gm... > > > wrote: > > > > > > > Hi All > > > > > > I have found that an application has a rewritten URL element that ends up > > > in a SQL query. The error message tells me that I'm injecting into the > > > LIMIT number at the end of the query. This appears to be the only point of > > > injection for now. > > > > > > A simplified version of the query that's being injected into is: > > > > > > SELECT * FROM posts WHERE site_id = '1' ORDER BY post_date DESC, > > > created_date DESC LIMIT foo, 10 > > > > > > 'foo' is my injection and of course gives a syntax error. > > > > > > I know that apostrophes/ticks (as in the ' character) are blocked as a > > > minimum. > > > > > > Does anyone have any experience injecting this late in a query? Any > > > ideas would be greatly received. > > > > > > Regards > > > > > > Chris > > > > > > > > > ------------------------------------------------------------------------------ > > > Live Security Virtual Conference > > > Exclusive live event will cover all the ways today's security and > > > threat landscape has changed and how IT managers can respond. Discussions > > > will include endpoint security, mobile security and the latest in malware > > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > > _______________________________________________ > > > sqlmap-users mailing list > > > sql...@li... > > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > > > > -- > > Miroslav Stampar > > http://about.me/stamparm > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 11 > Date: Sun, 05 Aug 2012 14:06:55 +0400 > From: Happy User <rob...@gm...> > Subject: [sqlmap-users] MemoryError > To: sql...@li... > Message-ID: <501...@gm...> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > [*] starting at 14:00:21 > > [14:00:22] [INFO] testing connection to the target url > [14:00:23] [INFO] testing if the url is stable, wait a few seconds > [14:00:24] [INFO] url is stable > [14:00:24] [INFO] testing if GET parameter 'block' is dynamic > [14:00:25] [INFO] confirming that GET parameter 'block' is dynamic > [14:00:27] [INFO] GET parameter 'block' is dynamic > [14:00:36] [WARNING] large response detected. This could take a while > > [14:02:56] [CRITICAL] unhandled exception in sqlmap/1.0-dev-b483710, > retry your run with the latest development version from the G > itHub repository. If the exception persists, please send by e-mail to > 'sql...@li...' or open a new issue at > 'https://github.com/sqlmapproject/sqlmap/issues/new' with the following > text and any information required to reproduce the bug. Th > e developers will try to reproduce the bug, fix it accordingly and get > back to you. > sqlmap version: 1.0-dev-b483710 > Python version: 2.7.3 > Operating system: nt > Command line: D:\Soft\sqlmap-dev\sqlmap.py -u > ************************************ --current-user --current-db > --is-dba --tables - > -dbs -c bulk > Technique: None > Back-end DBMS: None (identified) > Traceback (most recent call last): > File "D:\Soft\sqlmap-dev\_sqlmap.py", line 72, in main > start() > File "D:\Soft\sqlmap-dev\lib\controller\controller.py", line 458, in > start > check = heuristicCheckSqlInjection(place, parameter) > File "D:\Soft\sqlmap-dev\lib\controller\checks.py", line 627, in > heuristicCheckSqlInjection > page, _ = Request.queryPage(payload, place, content=True, > raise404=False) > File "D:\Soft\sqlmap-dev\lib\request\connect.py", line 732, in queryPage > page, headers, code = Connect.getPage(url=uri, get=get, post=post, > cookie=cookie, ua=ua, referer=referer, host=host, silent=si > lent, method=method, auxHeaders=auxHeaders, response=response, > raise404=raise404, ignoreTimeout=timeBasedCompare) > File "D:\Soft\sqlmap-dev\lib\request\connect.py", line 498, in getPage > page = page if isinstance(page, unicode) else getUnicode(page) > File "D:\Soft\sqlmap-dev\lib\core\common.py", line 1861, in getUnicode > return unicode(value, UNICODE_ENCODING, "replace") > File "C:\Python27\lib\encodings\utf_8.py", line 16, in decode > return codecs.utf_8_decode(input, errors, True) > MemoryError > > [*] shutting down at 14:02:56 > > > > ------------------------------ > > Message: 12 > Date: Tue, 7 Aug 2012 00:01:31 +0200 > From: Miroslav Stampar <mir...@gm...> > Subject: Re: [sqlmap-users] sqlmap error > To: D Atkin <je...@ho...> > Cc: sql...@li... > Message-ID: > <CA+...@ma...> > Content-Type: text/plain; charset="iso-8859-1" > > Hi. > > Metasploit's module sqlmap(.rb) is obsolete. > > Kind regards, > Miroslav Stampar > > On Fri, Aug 3, 2012 at 6:37 PM, D Atkin <je...@ho...> wrote: > > > hi > > > > im try to run sqlmap from msf but i keep getting this error > > > > the sqlmap script could not be found: > > > > iv already had sqlmap path to system Path envirounment put im still > > getting this error. > > > > can u tell me what i can do from here. > > > > Thank you! > > > > > > ------------------------------------------------------------------------------ > > Live Security Virtual Conference > > Exclusive live event will cover all the ways today's security and > > threat landscape has changed and how IT managers can respond. Discussions > > will include endpoint security, mobile security and the latest in malware > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > -- > Miroslav Stampar > http://about.me/stamparm > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 13 > Date: Tue, 7 Aug 2012 00:54:32 +0200 > From: Miroslav Stampar <mir...@gm...> > Subject: Re: [sqlmap-users] MemoryError > To: Happy User <rob...@gm...> > Cc: sql...@li... > Message-ID: > <CA+...@ma...> > Content-Type: text/plain; charset="iso-8859-1" > > Hi. > > This should be "patched" now [1], but nevertheless, it's interesting that > you are getting such large response immediately in such early phase. If you > don't mind you could send me more info privately. > > Kind regards, > Miroslav Stampar > > [1] https://github.com/sqlmapproject/sqlmap/issues/139 > > On Sun, Aug 5, 2012 at 12:06 PM, Happy User <rob...@gm...>wrote: > > > [*] starting at 14:00:21 > > > > [14:00:22] [INFO] testing connection to the target url > > [14:00:23] [INFO] testing if the url is stable, wait a few seconds > > [14:00:24] [INFO] url is stable > > [14:00:24] [INFO] testing if GET parameter 'block' is dynamic > > [14:00:25] [INFO] confirming that GET parameter 'block' is dynamic > > [14:00:27] [INFO] GET parameter 'block' is dynamic > > [14:00:36] [WARNING] large response detected. This could take a while > > > > [14:02:56] [CRITICAL] unhandled exception in sqlmap/1.0-dev-b483710, > > retry your run with the latest development version from the G > > itHub repository. If the exception persists, please send by e-mail to > > 'sql...@li...' or open a new issue at > > 'https://github.com/sqlmapproject/sqlmap/issues/new' with the following > > text and any information required to reproduce the bug. Th > > e developers will try to reproduce the bug, fix it accordingly and get > > back to you. > > sqlmap version: 1.0-dev-b483710 > > Python version: 2.7.3 > > Operating system: nt > > Command line: D:\Soft\sqlmap-dev\sqlmap.py -u > > ************************************ --current-user --current-db > > --is-dba --tables - > > -dbs -c bulk > > Technique: None > > Back-end DBMS: None (identified) > > Traceback (most recent call last): > > File "D:\Soft\sqlmap-dev\_sqlmap.py", line 72, in main > > start() > > File "D:\Soft\sqlmap-dev\lib\controller\controller.py", line 458, in > > start > > check = heuristicCheckSqlInjection(place, parameter) > > File "D:\Soft\sqlmap-dev\lib\controller\checks.py", line 627, in > > heuristicCheckSqlInjection > > page, _ = Request.queryPage(payload, place, content=True, > > raise404=False) > > File "D:\Soft\sqlmap-dev\lib\request\connect.py", line 732, in queryPage > > page, headers, code = Connect.getPage(url=uri, get=get, post=post, > > cookie=cookie, ua=ua, referer=referer, host=host, silent=si > > lent, method=method, auxHeaders=auxHeaders, response=response, > > raise404=raise404, ignoreTimeout=timeBasedCompare) > > File "D:\Soft\sqlmap-dev\lib\request\connect.py", line 498, in getPage > > page = page if isinstance(page, unicode) else getUnicode(page) > > File "D:\Soft\sqlmap-dev\lib\core\common.py", line 1861, in getUnicode > > return unicode(value, UNICODE_ENCODING, "replace") > > File "C:\Python27\lib\encodings\utf_8.py", line 16, in decode > > return codecs.utf_8_decode(input, errors, True) > > MemoryError > > > > [*] shutting down at 14:02:56 > > > > > > ------------------------------------------------------------------------------ > > Live Security Virtual Conference > > Exclusive live event will cover all the ways today's security and > > threat landscape has changed and how IT managers can respond. Discussions > > will include endpoint security, mobile security and the latest in malware > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > -- > Miroslav Stampar > http://about.me/stamparm > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 14 > Date: Tue, 7 Aug 2012 14:24:35 +1000 > From: Peter Thomas <pe...@ha...> > Subject: Re: [sqlmap-users] Disable output coloring > To: sql...@li... > Message-ID: > <CAH...@ma...> > Content-Type: text/plain; charset=UTF-8 > > I agree that it would be handy to have a way to disable the color output. > > We also output to text for sending in our automated email reports. > > The other alternative is to use sed. > > sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" > > > -- > Regards, > > Peter > -------------------------------------------------- > Security Scanning Tools On-line > Web: http://hackertarget.com/ > -------------------------------------------------- > > > [sqlmap-users] Disable output coloring > > From: M Zverev <roberthacksley@gm...> - 2012-08-02 11:18 > > > > I often redirect sqlmap output to a text file with the command >, and > > that leave annoying marks like > > [0m > > > > > [31m > > at the beginning and the end of lines, and I have to clean that out. > > Is there a way to disable output coloring? > > > > > > > ------------------------------ > > Message: 15 > Date: Tue, 7 Aug 2012 10:59:10 +0200 > From: Miroslav Stampar <mir...@gm...> > Subject: Re: [sqlmap-users] Disable output coloring > To: Peter Thomas <pe...@ha...> > Cc: sql...@li... > Message-ID: > <CA+...@ma...> > Content-Type: text/plain; charset="iso-8859-1" > > Hi. > > This should be fixed now [1]. sqlmap should handle this recognition of > redirected output automatically from now on. > > Kind regards, > Miroslav Stampar > > [1] https://github.com/sqlmapproject/sqlmap/issues/140 > > On Tue, Aug 7, 2012 at 6:24 AM, Peter Thomas <pe...@ha...> wrote: > > > I agree that it would be handy to have a way to disable the color output. > > > > We also output to text for sending in our automated email reports. > > > > The other alternative is to use sed. > > > > sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" > > > > > > -- > > Regards, > > > > Peter > > -------------------------------------------------- > > Security Scanning Tools On-line > > Web: http://hackertarget.com/ > > -------------------------------------------------- > > > > > [sqlmap-users] Disable output coloring > > > From: M Zverev <roberthacksley@gm...> - 2012-08-02 11:18 > > > > > > I often redirect sqlmap output to a text file with the command >, and > > > that leave annoying marks like > > > [0m > > > > > > > > [31m > > > at the beginning and the end of lines, and I have to clean that out. > > > Is there a way to disable output coloring? > > > > > > > > > > > ------------------------------------------------------------------------------ > > Live Security Virtual Conference > > Exclusive live event will cover all the ways today's security and > > threat landscape has changed and how IT managers can respond. Discussions > > will include endpoint security, mobile security and the latest in malware > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > -- > Miroslav Stampar > http://about.me/stamparm > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 16 > Date: Tue, 7 Aug 2012 22:25:42 +1000 > From: Peter Thomas <pe...@ha...> > Subject: Re: [sqlmap-users] Disable output coloring > To: Miroslav Stampar <mir...@gm...> > Cc: sql...@li... > Message-ID: > <CAH...@ma...> > Content-Type: text/plain; charset=UTF-8 > > Thanks Miroslav, > > Feature / bug fix completed in under 4hours. Nice work! > > > On Tue, Aug 7, 2012 at 6:59 PM, Miroslav Stampar > <mir...@gm...> wrote: > > Hi. > > > > This should be fixed now [1]. sqlmap should handle this recognition of > > redirected output automatically from now on. > > > > Kind regards, > > Miroslav Stampar > > > > [1] https://github.com/sqlmapproject/sqlmap/issues/140 > > > > On Tue, Aug 7, 2012 at 6:24 AM, Peter Thomas <pe...@ha...> wrote: > > > > > > I agree that it would be handy to have a way to disable the color output. > > > > > > We also output to text for sending in our automated email reports. > > > > > > The other alternative is to use sed. > > > > > > sed -r "s/\x1B\[([0-9]{1,2}(;[0-9]{1,2})?)?[m|K]//g" > > > > > > > > > -- > > > Regards, > > > > > > Peter > > > -------------------------------------------------- > > > Security Scanning Tools On-line > > > Web: http://hackertarget.com/ > > > -------------------------------------------------- > > > > > > > [sqlmap-users] Disable output coloring > > > > From: M Zverev <roberthacksley@gm...> - 2012-08-02 11:18 > > > > > > > > I often redirect sqlmap output to a text file with the command >, and > > > > that leave annoying marks like > > > > [0m > > > > > > > > > > > [31m > > > > at the beginning and the end of lines, and I have to clean that out. > > > > Is there a way to disable output coloring? > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > Live Security Virtual Conference > > > Exclusive live event will cover all the ways today's security and > > > threat landscape has changed and how IT managers can respond. Discussions > > > will include endpoint security, mobile security and the latest in malware > > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > > _______________________________________________ > > > sqlmap-users mailing list > > > sql...@li... > > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > > > > > > > > -- > > Miroslav Stampar > > http://about.me/stamparm > > > > > > > -- > Regards, > > Peter > -------------------------------------------------- > Security Scanning Tools On-line > Web: http://hackertarget.com/ > -------------------------------------------------- > > > > ------------------------------ > > Message: 17 > Date: Fri, 3 Aug 2012 17:27:30 -0700 (PDT) > From: muhammad husaini harun <hus...@ya...> > Subject: [sqlmap-users] ask error in sqlmap > To: "sql...@li..." > <sql...@li...> > Message-ID: > <134...@we...> > Content-Type: text/plain; charset="iso-8859-1" > > hello i get error when scan using sqlmap? > > [08:17:12] [CRITICAL] all parameters appear to be not injectable. Try to increase '--level'/'--risk' values to perform more tests. Also, you can try to rerun by providing a valid value for option '--regexp' as perhaps the regular expression that you have choosen does not match exclusively True responses > > [*] shutting down at 08:17:12 > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 18 > Date: Wed, 8 Aug 2012 10:15:09 -0500 > From: Brandon Perry <bpe...@gm...> > Subject: Re: [sqlmap-users] ask error in sqlmap > To: muhammad husaini harun <hus...@ya...> > Cc: "sql...@li..." > <sql...@li...> > Message-ID: > <CAO...@ma...> > Content-Type: text/plain; charset="iso-8859-1" > > This isn't an error. It is telling you all params in the query are not > injectable. > On Aug 8, 2012 9:48 AM, "muhammad husaini harun" <hus...@ya...> wrote: > > > hello i get error when scan using sqlmap > > > > [08:17:12] [CRITICAL] all parameters appear to be not injectable. Try to > > increase '--level'/'--risk' values to perform more tests. Also, you can try > > to rerun by providing a valid value for option '--regexp' as perhaps the > > regular expression that you have choosen does not match exclusively True > > responses > > > > [*] shutting down at 08:17:12 > > > > > > > > ------------------------------------------------------------------------------ > > Live Security Virtual Conference > > Exclusive live event will cover all the ways today's security and > > threat landscape has changed and how IT managers can respond. Discussions > > will include endpoint security, mobile security and the latest in malware > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 19 > Date: Thu, 9 Aug 2012 09:53:19 +0200 > From: Marco Mirandola <mm...@gm...> > Subject: [sqlmap-users] tag FORM not supported > To: sql...@li... > Message-ID: > <CACzG1hLQgfSvsRdCqpsM_ekg0qJHsSkRr0msM6iyf4hYJr_=mQ...@ma...> > Content-Type: text/plain; charset="iso-8859-1" > > Hi Sqlmap team :-) > > This is the error: > > ===================================================================== > [09:40:35] [INFO] testing connection to the target url > [09:40:36] [INFO] searching for forms > [09:40:37] [CRITICAL] there has been a problem while processing page forms > ('unk > nown GET form encoding type 'multipart/form-data'') > ===================================================================== > > And this is the stub of html page > ===================================================================== > > <form name="choice" enctype="multipart/form-data" method="GET" > action="/result.php" style="display:inline;"> > <select style="margin-bottom:10px;" name="categoria" id="categoria"> > <option value="">Tutti</option> > <option selected="selected" >Coppie</option> > <option value="a">a</option> > <option value="b">b</option> > <option value="c">c</option> > <option value="d">d</option> > <option >e</option> > <option >f</option> > <option >g</option> > <option >h</option> > <option value="i">i</option> > </select> > <br> > <select name="regione" id="regione" style="margin-top:8px; > margin-bottom:8px;"> > <option selected="selected"></option> > <option></option> > <option value="Abruzzo" >Abruzzo</option> > <option value="Basilicata" >Basilicata</option> > <option value="Calabria" >Calabria</option> > <option value="Campania" >Campania</option> > <option value="Emilia Romagna" >Emilia Romagna</option> > <option value="Friuli" >Friuli</option> > <option value="Lazio">Lazio</option> > <option value="Liguria" >Liguria</option> > <option value="Lombardia" >Lombardia</option> > <option value="Marche" >Marche</option> > <option value="Molise" >Molise</option> > <option value="Piemonte" >Piemonte</option> > <option value="Puglia" >Puglia</option> > <option value="Sardegna" >Sardegna</option> > <option value="Sicilia" >Sicilia</option> > <option value="Toscana" >Toscana</option> > <option value="Trentino" >Trentino</option> > <option value="Umbria" >Umbria</option> > <option value="ValleAosta" >Valle d'Aosta</option> > <option value="Veneto" >Veneto</option> > <option value="estero" >...all'estero</option> > </select><br /> > <input name="check1" type="checkbox" value="1" /> > <input name="check1" type="checkbox" value="1" /> > <input name="check1" type="checkbox" value="1" /> > <br /> > <input type="Image" name="Invia" img src=" > http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/img/go.gif" > width="55" height="19"> > </div> > </form> > > ===================================================================== > > Best regards > > Marco Mirandola > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 20 > Date: Thu, 9 Aug 2012 16:06:59 +0800 > From: Timon Wang <tim...@gm...> > Subject: Re: [sqlmap-users] tag FORM not supported > To: Marco Mirandola <mm...@gm...> > Cc: sql...@li... > Message-ID: > <CAH+8Fsw5jKctkXP77EkR7ZH93Uy6Gb1e=HOd-k=Z_z...@ma...> > Content-Type: text/plain; charset=ISO-8859-1 > > So special... > Form method is get ,and enctype equals multipart/form-data. That's not > a valid form, you can't use this to upload file or submit data I > think. > > On Thu, Aug 9, 2012 at 3:53 PM, Marco Mirandola <mm...@gm...> wrote: > > Hi Sqlmap team :-) > > > > This is the error: > > > > ===================================================================== > > [09:40:35] [INFO] testing connection to the target url > > [09:40:36] [INFO] searching for forms > > [09:40:37] [CRITICAL] there has been a problem while processing page forms > > ('unk > > nown GET form encoding type 'multipart/form-data'') > > ===================================================================== > > > > And this is the stub of html page > > ===================================================================== > > > > <form name="choice" enctype="multipart/form-data" method="GET" > > action="/result.php" style="display:inline;"> > > <select style="margin-bottom:10px;" name="categoria" id="categoria"> > > <option value="">Tutti</option> > > <option selected="selected" >Coppie</option> > > <option value="a">a</option> > > <option value="b">b</option> > > <option value="c">c</option> > > <option value="d">d</option> > > <option >e</option> > > <option >f</option> > > <option >g</option> > > <option >h</option> > > <option value="i">i</option> > > </select> > > <br> > > <select name="regione" id="regione" style="margin-top:8px; > > margin-bottom:8px;"> > > <option selected="selected"></option> > > <option></option> > > <option value="Abruzzo" >Abruzzo</option> > > <option value="Basilicata" >Basilicata</option> > > <option value="Calabria" >Calabria</option> > > <option value="Campania" >Campania</option> > > <option value="Emilia Romagna" >Emilia Romagna</option> > > <option value="Friuli" >Friuli</option> > > <option value="Lazio">Lazio</option> > > <option value="Liguria" >Liguria</option> > > <option value="Lombardia" >Lombardia</option> > > <option value="Marche" >Marche</option> > > <option value="Molise" >Molise</option> > > <option value="Piemonte" >Piemonte</option> > > <option value="Puglia" >Puglia</option> > > <option value="Sardegna" >Sardegna</option> > > <option value="Sicilia" >Sicilia</option> > > <option value="Toscana" >Toscana</option> > > <option value="Trentino" >Trentino</option> > > <option value="Umbria" >Umbria</option> > > <option value="ValleAosta" >Valle d'Aosta</option> > > <option value="Veneto" >Veneto</option> > > <option value="estero" >...all'estero</option> > > </select><br /> > > <input name="check1" type="checkbox" value="1" /> > > <input name="check1" type="checkbox" value="1" /> > > <input name="check1" type="checkbox" value="1" /> > > <br /> > > <input type="Image" name="Invia" img > > src="http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/img/go.gif" > > width="55" height="19"> > > </div> > > </form> > > > > ===================================================================== > > > > Best regards > > > > Marco Mirandola > > > > > > ------------------------------------------------------------------------------ > > Live Security Virtual Conference > > Exclusive live event will cover all the ways today's security and > > threat landscape has changed and how IT managers can respond. Discussions > > will include endpoint security, mobile security and the latest in malware > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > -- > Focus on: Network security,Scanner,NodeJS,JAVA,WWW > Blog: http://www.nohouse.net > > > > ------------------------------ > > Message: 21 > Date: Thu, 9 Aug 2012 11:33:55 +0200 > From: Miroslav Stampar <mir...@gm...> > Subject: Re: [sqlmap-users] tag FORM not supported > To: Timon Wang <tim...@gm...> > Cc: sql...@li... > Message-ID: > <CA+9yoX0y5=K2qzgUhDgGCpQrh=V679WVrP=y8c...@ma...> > Content-Type: text/plain; charset="iso-8859-1" > > Hi all. > > Timon is right. I don't have anything more to say. > > Kind regards, > Miroslav Stampar > > On Thu, Aug 9, 2012 at 10:06 AM, Timon Wang <tim...@gm...> wrote: > > > So special... > > Form method is get ,and enctype equals multipart/form-data. That's not > > a valid form, you can't use this to upload file or submit data I > > think. > > > > On Thu, Aug 9, 2012 at 3:53 PM, Marco Mirandola <mm...@gm...> wrote: > > > Hi Sqlmap team :-) > > > > > > This is the error: > > > > > > ===================================================================== > > > [09:40:35] [INFO] testing connection to the target url > > > [09:40:36] [INFO] searching for forms > > > [09:40:37] [CRITICAL] there has been a problem while processing page > > > > > > > forms > > > ('unk > > > nown GET form encoding type 'multipart/form-data'') > > > ===================================================================== > > > > > > And this is the stub of html page > > > ===================================================================== > > > > > > <form name="choice" enctype="multipart/form-data" method="GET" > > > action="/result.php" style="display:inline;"> > > > <select style="margin-bottom:10px;" name="categoria" id="categoria"> > > > <option value="">Tutti</option> > > > <option selected="selected" >Coppie</option> > > > <option value="a">a</option> > > > <option value="b">b</option> > > > <option value="c">c</option> > > > <option value="d">d</option> > > > <option >e</option> > > > <option >f</option> > > > <option >g</option> > > > <option >h</option> > > > <option value="i">i</option> > > > </select> > > > <br> > > > <select name="regione" id="regione" style="margin-top:8px; > > > margin-bottom:8px;"> > > > <option selected="selected"></option> > > > <option></option> > > > <option value="Abruzzo" >Abruzzo</option> > > > <option value="Basilicata" >Basilicata</option> > > > <option value="Calabria" >Calabria</option> > > > <option value="Campania" >Campania</option> > > > <option value="Emilia Romagna" >Emilia Romagna</option> > > > <option value="Friuli" >Friuli</option> > > > <option value="Lazio">Lazio</option> > > > <option value="Liguria" >Liguria</option> > > > <option value="Lombardia" >Lombardia</option> > > > <option value="Marche" >Marche</option> > > > <option value="Molise" >Molise</option> > > > <option value="Piemonte" >Piemonte</option> > > > <option value="Puglia" >Puglia</option> > > > <option value="Sardegna" >Sardegna</option> > > > <option value="Sicilia" >Sicilia</option> > > > <option value="Toscana" >Toscana</option> > > > <option value="Trentino" >Trentino</option> > > > <option value="Umbria" >Umbria</option> > > > <option value="ValleAosta" >Valle d'Aosta</option> > > > <option value="Veneto" >Veneto</option> > > > <option value="estero" >...all'estero</option> > > > </select><br /> > > > <input name="check1" type="checkbox" value="1" /> > > > <input name="check1" type="checkbox" value="1" /> > > > <input name="check1" type="checkbox" value="1" /> > > > <br /> > > > <input type="Image" name="Invia" img > > > src=" > > > > > > > http://xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/img/go.gif > > " > > > width="55" height="19"> > > > </div> > > > </form> > > > > > > ===================================================================== > > > > > > Best regards > > > > > > Marco Mirandola > > ------------------------------------------------------------------------------ > > > Live Security Virtual Conference > > > Exclusive live event will cover all the ways today's security and > > > threat landscape has changed and how IT managers can respond. Discussions > > > will include endpoint security, mobile security and the latest in malware > > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > > _______________________________________________ > > > sqlmap-users mailing list > > > sql...@li... > > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > > > > > > -- > > Focus on: Network security,Scanner,NodeJS,JAVA,WWW > > Blog: http://www.nohouse.net > > > > > > ------------------------------------------------------------------------------ > > Live Security Virtual Conference > > Exclusive live event will cover all the ways today's security and > > threat landscape has changed and how IT managers can respond. Discussions > > will include endpoint security, mobile security and the latest in malware > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > -- > Miroslav Stampar > http://about.me/stamparm > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 22 > Date: Thu, 9 Aug 2012 12:23:47 +0200 > From: Marco Mirandola <mm...@gm...> > Subject: Re: [sqlmap-users] tag FORM not supported > To: Miroslav Stampar <mir...@gm...> > Cc: sql...@li... > Message-ID: > <CACzG1h+fNw5PMZ+=4fw...@ma...> > Content-Type: text/plain; charset="iso-8859-1" > > But rather than check enctype = "multipart / form-data", which in my case > does not include any upload (see attached html), because not only excludes > only the possible upload? > we are in the attached example: > > 2 select (combobox) > 3 checkboxes > > both valid for the injection ... > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 23 > Date: Thu, 9 Aug 2012 11:42:03 +0100 > From: Chris Oakley <chr...@gm...> > Subject: Re: [sqlmap-users] tag FORM not supported > To: Marco Mirandola <mm...@gm...> > Cc: sql...@li... > Message-ID: > <CAF6VE=oG1c5TSXvAN6C6SXyLkMHLXTqFRWju=qe_...@ma...> > Content-Type: text/plain; charset="iso-8859-1" > > Even though it's wrong to use GET with this enctype, I think it will still > work: > > http://oi49.tinypic.com/2yn2r9w.jpg > > So if this is interacting with a database, there could still be an > injection. Perhaps the check that sqlmap does is too simplistic? > > Regards > > Chris > > On 9 August 2012 11:23, Marco Mirandola <mm...@gm...> wrote: > > > But rather than check enctype = "multipart / form-data", which in my case > > does not include any upload (see attached html), because not only excludes > > only the possible upload? > > we are in the attached example: > > > > 2 select (combobox) > > 3 checkboxes > > > > both valid for the injection ... > > > > > > > > ------------------------------------------------------------------------------ > > Live Security Virtual Conference > > Exclusive live event will cover all the ways today's security and > > threat landscape has changed and how IT managers can respond. Discussions > > will include endpoint security, mobile security and the latest in malware > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 24 > Date: Thu, 9 Aug 2012 13:48:45 +0200 > From: Miroslav Stampar <mir...@gm...> > Subject: Re: [sqlmap-users] tag FORM not supported > To: Chris Oakley <chr...@gm...> > Cc: sql...@li... > Message-ID: > <CA+9yoX2EX-Gx9Ji_JCDaa_dpxzMfLNymQh-t3__CQSUArr-=9w...@ma...> > Content-Type: text/plain; charset="iso-8859-1" > > Hi. > > This is solely coming from a 3rd party library ClientForm [1] and we don't > like to change anything inside those. Nevertheless, find it "patched" with > the latest commit [2]. > > Kind regards, > Miroslav Stampar > > [1] http://pypi.python.org/pypi/ClientForm/0.2.10 > [2] https://github.com/sqlmapproject/sqlmap/issues/143 > > On Thu, Aug 9, 2012 at 12:42 PM, Chris Oakley > <chr...@gm...>wrote: > > > Even though it's wrong to use GET with this enctype, I think it will still > > work: > > > > http://oi49.tinypic.com/2yn2r9w.jpg > > > > So if this is interacting with a database, there could still be an > > injection. Perhaps the check that sqlmap does is too simplistic? > > > > Regards > > > > Chris > > > > On 9 August 2012 11:23, Marco Mirandola <mm...@gm...> wrote: > > > > > But rather than check enctype = "multipart / form-data", which in my case > > > does not include any upload (see attached html), because not only excludes > > > only the possible upload? > > > we are in the attached example: > > > > > > 2 select (combobox) > > > 3 checkboxes > > > > > > both valid for the injection ... > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > Live Security Virtual Conference > > > Exclusive live event will cover all the ways today's security and > > > threat landscape has changed and how IT managers can respond. Discussions > > > will include endpoint security, mobile security and the latest in malware > > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > > _______________________________________________ > > > sqlmap-users mailing list > > > sql...@li... > > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > > > > > > -- > Miroslav Stampar > http://about.me/stamparm > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 25 > Date: Thu, 16 Aug 2012 12:35:25 +0700 > From: root rieqy <roo...@gm...> > Subject: [sqlmap-users] Rieqy Erysya > To: sql...@li... > Message-ID: > <CAN...@ma...> > Content-Type: text/plain; charset="iso-8859-1" > > Hello sqlmap team :D > i had download new version of sqlmap(sqlmap version 1.0) > and i have always get error when every i write : > [code]F:\sqlmap>sqlmap.py -g "inurl:view.php?id=23"[/code] > it syntax giving error like this: > [code][12:21:35] [CRITICAL] unable to find results for your Google dork > expression[/code] > > why it happened ? whereas I've download new version of sqlmap > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 26 > Date: Thu, 16 Aug 2012 11:33:24 +0200 > From: Miroslav Stampar <mir...@gm...> > Subject: Re: [sqlmap-users] Rieqy Erysya > To: root rieqy <roo...@gm...> > Cc: sql...@li... > Message-ID: > <CA+...@ma...> > Content-Type: text/plain; charset="iso-8859-1" > > Hi. > > Find it fixed now [1]. > > Kind regards, > Miroslav Stampar > > [1] https://github.com/sqlmapproject/sqlmap/issues/59 > > On Thu, Aug 16, 2012 at 7:35 AM, root rieqy <roo...@gm...> wrote: > > > Hello sqlmap team :D > > i had download new version of sqlmap(sqlmap version 1.0) > > and i have always get error when every i write : > > [code]F:\sqlmap>sqlmap.py -g "inurl:view.php?id=23"[/code] > > it syntax giving error like this: > > [code][12:21:35] [CRITICAL] unable to find results for your Google dork > > expression[/code] > > > > why it happened ? whereas I've download new version of sqlmap > > > > > > > > ------------------------------------------------------------------------------ > > Live Security Virtual Conference > > Exclusive live event will cover all the ways today's security and > > threat landscape has changed and how IT managers can respond. Discussions > > will include endpoint security, mobile security and the latest in malware > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > _______________________________________________ > > sqlmap-users mailing list > > sql...@li... > > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > > -- > Miroslav Stampar > http://about.me/stamparm > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 27 > Date: Fri, 17 Aug 2012 14:10:53 +0200 > From: Sergio Molina <sm...@wp...> > Subject: [sqlmap-users] Anyone having trouble with --eval? > To: sql...@li... > Message-ID: > <CAF...@ma...> > Content-Type: text/plain; charset="windows-1252" > > Hi there > > Just downloaded latest dev version (actually I did yesterday). I am having > trouble with --eval, sqlmap complains when running evaluateCode with > modified parameters (something like pincode=abc123'' stuff). More > precisely, the following lines in lib/request/connect.py: > > for part in item.split(delimiter): > if '=' in part: > name, value = part.split('=', 1) > evaluateCode(?%s='%s'? % (name, value), variables) > > When providing next value for --eval: > > --eval "import random;import urllib2;numRequest=random.randint(1, > 999999999);userId='sq...@wp...'+str(numRequest);headers = { > 'Accept-Language' : 'en-us,en;q=0.5 '}; req = > urllib2.Request('${SAFE_UPSELL_URL}&userId='+ userId, None, headers); > response = urllib2.urlopen(req);" > > Just want to do something like --safe-url and --safe-freq combination but > using same userId fo both related requests while using different userId for > every other pair of requests. > > Sorry I am not good at python. Am I missing anything ? Or is it a bug ? > > Thanks in advance ! > > Regards > Sergio M > -------------- next part -------------- > An HTML attachment was scrubbed... > > ------------------------------ > > Message: 28 > Date: Mon, 20 Aug 2012 00:11:40 +0400 > From: Happy User <rob...@gm...> > Subject: [sqlmap-users] UnicodeEncodeError: 'ascii' codec can't encode > characters in position 32-47: ordinal not in range(128) > To: sql...@li... > Message-ID: <503...@gm...> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > Traceback (most recent call last): > File "D:\Soft\sqlmap-dev\_sqlmap.py", line 72, in main > start() > File "D:\Soft\sqlmap-dev\lib\controller\controller.py", line 355, in > start > checkNullConnection() > File "D:\Soft\sqlmap-dev\lib\controller\checks.py", line 960, in > checkNullConnection > page, headers, _ = Request.getPage(method=HTTPMETHOD.HEAD) > File "D:\Soft\sqlmap-dev\lib\request\connect.py", line 322, in getPage > conn = urllib2.urlopen(req) > File "C:\Python27\lib\urllib2.py", line 126, in urlopen > return _opener.open(url,... [truncated message content] |
